Tags: re wat 

Rating: 0

Binary is interpreting input string as a sequence of 15 two digit decimal numbers. Variable X is set to 0, after that each number determines next operation to be done with X. For example, operation 01 makes `X += 0x58335249`. After 15 operations `abs(X)` should be `0x6F2E255A`.

If we look closely to numbers used in operations, we'll see that they are in fact ASCII codes. In said operation 01 `0x58335249` is ASCII string `X3RI`, which is actually a Base64 encoded string `_tH`. All strings are `['0ys', '3_B', '3_y', '4rD', 'A_b', 'R1n', '_ID', '_Th', '_t0', '_tH', 'a11', 'gS_', 'sun', '{mY', '}']`. We definitely see the word `sun` and curly braces, so it seems that we need to arrange these parts properly to get the flag.

Brute-forcing order of operations is hard. What if we can arrange parts directly, just by meaning? This it exactly what we've done. After a bit of trying different approaches we came to this simple function that just tries to add each part to prefix:
``` python
def try_all(prefix):
parts = ['0ys', '3_B', '3_y', '4rD', 'A_b', 'R1n', '_ID', '_Th', '_t0', '_tH', 'a11', 'gS_', 'sun', '{mY', '}']
for part in parts:
if part not in prefix:
print(prefix + part)
```
Example output:
```
>>> try_all('sun{mY_ID')
sun{mY_ID0ys
sun{mY_ID3_B
sun{mY_ID3_y
sun{mY_ID4rD
sun{mY_IDA_b
sun{mY_IDR1n
sun{mY_ID_Th
sun{mY_ID_t0
sun{mY_ID_tH
sun{mY_IDa11
sun{mY_IDgS_
sun{mY_ID}
```

Using this approach we got flag from parts in a minute, `sun{mY_IDA_bR1ngS_a11_Th3_B0ys_t0_tH3_y4rD}` (or `sun{mY_IDA_bR1ngS_a11_tH3_B0ys_t0_Th3_y4rD}`, I don't really remember).